Days after the celebrity law firm that represents Madonna, Bruce Springsteen, and Nicki Minaj admitted it was “victimized by a cyberattack,” the hackers that executed the breach released their first batch of stolen data Thursday: files that focused on the law firm’s work with Lady Gaga.

The unnamed hacker group, using ransomware dubbed “REvil,” launched the cyberattack against the internal data systems of Grubman Shire Meiselas & Sacks; on Wednesday, they asked the law firm for $21 million in exchange for the 756 gigabytes of stolen data. However, after the firm allegedly hired cyber-extortion specialists to combat the ransomware demands, the hackers released a 2.4 gigabyte batch of files Thursday.

“It seems that GRUBMANS doesn’t care about their clients or it was a mistake to hire a recovery company to help in the negotiations,” the hackers wrote. “As we promised, we [published] the first part of the data because the time is up.” A source close to the firm confirmed to Rolling Stone that the company has declined to pay any ransom.

The “first part” was a 2.4-gigabyte folder including legal work the law firm did for Lady Gaga: contracts sent to producers, collaborators, and members of her touring ensemble; promotional agreements; expense sheets; confidentiality agreement forms; performer agreements; reimbursement forms for the artist Jeff Koons; a handful of promotional photos; and reams of tedious paperwork one would expect to find in the database of an entertainment law firm. (A representative for Lady Gaga declined to comment.)

Related

Soon after the hackers dropped the initial 2.4 gigabytes of information, they issued a “little press release” saying that their demands had not been met and that “the ransom is now $42 million.” They also claimed to be in possession of documents connected to President Trump.

“There’s an election race going on, and we found a ton of dirty laundry. Mr. Trump, if you want to stay president, poke a sharp stick at the guys, otherwise you may forget this ambition forever,” they wrote. “And to you voters, we can let you know that after such a publication, you certainly don’t want to see him as president. Well, let’s leave out the details. The deadline is one week.” A source close to the firm confirmed to Rolling Stone, however, that the law firm had no dealings with Trump.

“Our elections, our government, and our personal information are under escalating attacks by foreign cybercriminals. Law firms are not immune from this malicious activity,” a spokesperson for Grubman Shire Meiselas & Sacks told Rolling Stone in a statement. “Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation.

“The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others,” the spokesperson added. “We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway.”

“Adhering to [Department of Justice] standard practice, the FBI neither confirms nor denies the existence of any investigation. We have no further comment for you,” a rep for the bureau told Rolling Stone.

Prior to Thursday’s leak, the ransomware group only revealed three documents related to the cyberattack: a form with Christina Aguilera’s signature, a contract related to Madonna’s Madame X tour, and a blanket nondisclosure agreement from Lizzo’s tour. The website for Grubman Shire Meiselas & Sacks has displayed only the law firm’s logo since the day of the ransomeware attack last Saturday.

Antivirus software maker Emsisoft’s threat analyst Brett Callow tells Rolling Stone that the law firm’s main options to retrieve its data are restoring their backups — if it kept backups and the hackers didn’t already delete them — or pay the ransom, which at $42 million is the largest ransomware request on record.

“This is a lose-lose situation for both the firm and its clients,” Callow tells Rolling Stone. “If the firm does not pay the criminals, it’s likely that more data will be published. If the firm does pay, it will simply receive a pinky promise from a bad-faith actor that the stolen data will be destroyed. But why would a criminal enterprise ever delete data that it may be able to further monetize, and especially if that data may have a high market value?” For example, there is nothing preventing the hackers from reaching a settlement with the law firm, only to then turn around and shake down their celebrity clients with the stolen data.

Emsisoft estimates that ransomware fleeces victims out of $1.9 billion annually in the U.S. alone; globally, that figure balloons to $25 billion. “Ransomware is hugely profitable,” Callow says, adding that “about 25 percent of all types of ransomware have faulty encryption that enables us to break it so people can get their data back. REvil’s encryption is perfectly implemented so it cannot be broken in that way.”

However, these cyberattacks usually avoid public scrutiny — they’re often settled quietly between the two parties, often without informing those whose personal information has been comprised — but the situation involving the Grubman law firm and its high-profile celebrity clients magnified the issue of ransomware.

“I think it’s probably the only ransomware negotiation that’s taken place with a huge amount of public scrutiny,” Callow says. “In some ways, this is a good thing. It may shine more light on the issue. It’s a huge problem. There are a whole bunch of groups that steal and publish data. They’ve stolen information from banks, people’s credit card numbers are online, tax returns, veterans’ PTSD claims, medical records, missile schematics … you name it, it’s online. And most people have no clue it’s going on.”

Callow adds, “Companies must do more to protect their data, their customers’ data, and their business partners’ data.”

Grubman Shire Meiselas & Sacks’ Full Statement

Our elections, our government and our personal information are under escalating attacks by foreign cybercriminals. Law firms are not immune from this malicious activity. Despite our substantial investment in state-of-the-art technology security, foreign cyberterrorists have hacked into our network and are demanding $42 million as ransom. We are working directly with federal law enforcement and continue to work around the clock with the world’s leading experts to address this situation.

The leaking of our clients’ documents is a despicable and illegal attack by these foreign cyberterrorists who make their living attempting to extort high-profile U.S. companies, government entities, entertainers, politicians, and others. Previously, the United States Department of Defense, HBO, Goldman Sachs, as well as numerous state and local governments have been victims of similar cybercriminal attacks.

We have been informed by the experts and the FBI that negotiating with or paying ransom to terrorists is a violation of federal criminal law. Even when enormous ransoms have been paid, the criminals often leak the documents anyway.

We are grateful to our clients for their overwhelming support and for recognizing that nobody is safe from cyberterrorism today. We continue to represent our clients with the utmost professionalism worthy of their elite stature, exercising the quality, integrity, and excellence that have made us the number-one entertainment and media law firm in the world.